Malicious code frequently included with screensavers and other free software can surreptitiously make any number of changes to Chrome settings. Injecting ads into webpages and blocking the ability to revert settings to those previously chosen by the user are two of the more common ways unscrupulous developers tamper with browser options. The hijackings were among the top issue users reported in Chrome help forums when the reset button was introduced in October. Upson explained:

Despite this, settings hijacking remains our number one user complaint. To make sure the reset option reaches everyone who might need it, Chrome will be prompting Windows users whose settings appear to have been changed if they’d like to restore their browser settings back to factory default. If you’ve been affected by settings hijacking and would like to restore your settings, just click “Reset” on the prompt below when it appears.

Note that this will disable any extensions, apps, and themes you have installed. If you’d like to reactivate any of your extensions after the reset, you can find and re-enable them by looking in the Chrome menu under “More tools > Extensions.” Apps are automatically re-enabled the next time you use them.

Some hijackers are especially pernicious and have left behind processes that are meant to undermine user control of settings, so you may find that you’re hijacked again after a short period of time. If that happens you can find additional help uninstalling such programs in the Chrome help forum—and remember even if you don’t see the prompt, you can always restore Chrome to a fresh state by clicking the reset button in your Chrome settings.

It's not immediately clear what effect the new warnings might have on Chrome extensions that have been updated to include adware. As Ars reported last month, some adware developers are buying popular extensions and updating them to inject ads into webpages. As Upson explained, however, users who are in doubt about the integrity or trustworthiness of a previously installed extension can use the reset button to disable extensions and later reactivate them if they're deemed safe.

Promoted Comments

That looks like the kind of message I tell my mum to avoid, or to talk about with me before she does anything. Not sure if I'd bother teaching her how to identify it, as I'd assume someone will develop malware to closely resemble it. May not be as useful as intended.

So how should the box look to give confidence that it is real? More to the point, what will stop malware writers from mimicking any design of a valid message, causing more erosion of trust?

I bring these questions up non-sarcastically, because this issue extends well beyond Chrome. Windows UAC boxes have been spoofed, so people distrust those. Legitimate AV software warnings are seen as suspicious, and users may not do anything to stop actual attacks.

I don't have answers here, but it's an issue that I'm sure is on the minds of a lot people in the industry.

That looks like the kind of message I tell my mum to avoid, or to talk about with me before she does anything. Not sure if I'd bother teaching her how to identify it, as I'd assume someone will develop malware to closely resemble it. May not be as useful as intended.

What do you want them to do, then? They're damned if they do and damned if they don't.

Do: "Oh, people are going to ignore that because it looks fishy even though it's not."

Don't: "Oh, people don't fix these problems because there's no easy way for them to fix it."

The only winning move is not to play.

No, the only winning move is to design a browser that makes you have to confirm all changes to the browser and all extensions the first time that they are run. Best policy would to add a 'confirm to run on update' as well.

I don't see a way to do this so long as the browser settings are stored in a location where you, the user, has access to write the settings.

Google could do something like require privilege elevation to write the settings. But then you're stuck with elevation prompts to save the data. Those prompts just annoy users. I honestly don't see a good solution to this.

That looks like the kind of message I tell my mum to avoid, or to talk about with me before she does anything. Not sure if I'd bother teaching her how to identify it, as I'd assume someone will develop malware to closely resemble it. May not be as useful as intended.

That looks like the kind of message I tell my mum to avoid, or to talk about with me before she does anything. Not sure if I'd bother teaching her how to identify it, as I'd assume someone will develop malware to closely resemble it. May not be as useful as intended.

What do you want them to do, then? They're damned if they do and damned if they don't.

Do: "Oh, people are going to ignore that because it looks fishy even though it's not."

Don't: "Oh, people don't fix these problems because there's no easy way for them to fix it."

While I agree that a lot of people would (and should) be suspicious of a popup message like that, at least it might give some of them an inkling that something might be wrong. I'd say it's better than nothing.

That looks like the kind of message I tell my mum to avoid, or to talk about with me before she does anything. Not sure if I'd bother teaching her how to identify it, as I'd assume someone will develop malware to closely resemble it. May not be as useful as intended.

So how should the box look to give confidence that it is real? More to the point, what will stop malware writers from mimicking any design of a valid message, causing more erosion of trust?

I bring these questions up non-sarcastically, because this issue extends well beyond Chrome. Windows UAC boxes have been spoofed, so people distrust those. Legitimate AV software warnings are seen as suspicious, and users may not do anything to stop actual attacks.

I don't have answers here, but it's an issue that I'm sure is on the minds of a lot people in the industry.

That looks like the kind of message I tell my mum to avoid, or to talk about with me before she does anything. Not sure if I'd bother teaching her how to identify it, as I'd assume someone will develop malware to closely resemble it. May not be as useful as intended.

What do you want them to do, then? They're damned if they do and damned if they don't.

Do: "Oh, people are going to ignore that because it looks fishy even though it's not."

Don't: "Oh, people don't fix these problems because there's no easy way for them to fix it."

The only winning move is not to play.

No, the only winning move is to design a browser that makes you have to confirm all changes to the browser and all extensions the first time that they are run. Best policy would to add a 'confirm to run on update' as well.

That looks like the kind of message I tell my mum to avoid, or to talk about with me before she does anything. Not sure if I'd bother teaching her how to identify it, as I'd assume someone will develop malware to closely resemble it. May not be as useful as intended.

What do you want them to do, then? They're damned if they do and damned if they don't.

Do: "Oh, people are going to ignore that because it looks fishy even though it's not."

Don't: "Oh, people don't fix these problems because there's no easy way for them to fix it."

The only winning move is not to play.

No, the only winning move is to design a browser that makes you have to confirm all changes to the browser and all extensions the first time that they are run. Best policy would to add a 'confirm to run on update' as well.

There is a simple solution to all of this: maintain a blacklist of browser plugins that sideload without the user expressly initiating the installation. I'm sure the people that maintain the Adblock lists would be happy to put some time in on it.

That looks like the kind of message I tell my mum to avoid, or to talk about with me before she does anything. Not sure if I'd bother teaching her how to identify it, as I'd assume someone will develop malware to closely resemble it. May not be as useful as intended.

What do you want them to do, then? They're damned if they do and damned if they don't.

Do: "Oh, people are going to ignore that because it looks fishy even though it's not."

Don't: "Oh, people don't fix these problems because there's no easy way for them to fix it."

The only winning move is not to play.

No, the only winning move is to design a browser that makes you have to confirm all changes to the browser and all extensions the first time that they are run. Best policy would to add a 'confirm to run on update' as well.

Isn't that essentially what this is, though?

No, this is an "After the fact" that does not get into specifics. For something like this to work, it has to list exactly what was changed or added so that the person in question can go online and find out "Okay, this is bad stuff.... forbid and remove!"

That looks like the kind of message I tell my mum to avoid, or to talk about with me before she does anything. Not sure if I'd bother teaching her how to identify it, as I'd assume someone will develop malware to closely resemble it. May not be as useful as intended.

What do you want them to do, then? They're damned if they do and damned if they don't.

Do: "Oh, people are going to ignore that because it looks fishy even though it's not."

Don't: "Oh, people don't fix these problems because there's no easy way for them to fix it."

The only winning move is not to play.

No, the only winning move is to design a browser that makes you have to confirm all changes to the browser and all extensions the first time that they are run. Best policy would to add a 'confirm to run on update' as well.

I don't see a way to do this so long as the browser settings are stored in a location where you, the user, has access to write the settings.

Google could do something like require privilege elevation to write the settings. But then you're stuck with elevation prompts to save the data. Those prompts just annoy users. I honestly don't see a good solution to this.

If I saw that popup I'd worry that it was malware masquerading as Chrome and be very leery of clicking it.

So how should the box look to give confidence that it is real? More to the point, what will stop malware writers from mimicking any design of a valid message, causing more erosion of trust?

I bring these questions up non-sarcastically, because this issue extends well beyond Chrome. Windows UAC boxes have been spoofed, so people distrust those. Legitimate AV software warnings are seen as suspicious, and users may not do anything to stop actual attacks.

I don't have answers here, but it's an issue that I'm sure is on the minds of a lot people in the industry.

They could probably have something in your Google account so that it shows your picture/phrase type of thing, something that a malware provider wouldn't be able to access. Of course, even after setting that up I'm sure people would click the OK button without thinking about authenticity.

My brother recently got the "conduit.com" hack on Chrome, it makes it the homepage and nothing seems to fix it, after running malwarebytes and others. Hopefully this helps with that sort of thing.

Actually, my IE was infected with it a couple of times recently. Not sure why chrome is not. BTW, just uninstall "search protect" from control panel->program and features should remove the malware and set your homepage to something else.

That looks like the kind of message I tell my mum to avoid, or to talk about with me before she does anything. Not sure if I'd bother teaching her how to identify it, as I'd assume someone will develop malware to closely resemble it. May not be as useful as intended.

So how should the box look to give confidence that it is real? More to the point, what will stop malware writers from mimicking any design of a valid message, causing more erosion of trust?

I bring these questions up non-sarcastically, because this issue extends well beyond Chrome. Windows UAC boxes have been spoofed, so people distrust those. Legitimate AV software warnings are seen as suspicious, and users may not do anything to stop actual attacks.

I don't have answers here, but it's an issue that I'm sure is on the minds of a lot people in the industry.

I've noticed that AVG has some really unprofessional-looking notification pop-ups these days...

That looks like the kind of message I tell my mum to avoid, or to talk about with me before she does anything. Not sure if I'd bother teaching her how to identify it, as I'd assume someone will develop malware to closely resemble it. May not be as useful as intended.

So how should the box look to give confidence that it is real? More to the point, what will stop malware writers from mimicking any design of a valid message, causing more erosion of trust?

I bring these questions up non-sarcastically, because this issue extends well beyond Chrome. Windows UAC boxes have been spoofed, so people distrust those. Legitimate AV software warnings are seen as suspicious, and users may not do anything to stop actual attacks.

I don't have answers here, but it's an issue that I'm sure is on the minds of a lot people in the industry.

Instead of using pop-ups have a separate application, like windows updater, that reports browser problems?

Edit: Then again, they'd probably try to make a pop-up window look like it.

That looks like the kind of message I tell my mum to avoid, or to talk about with me before she does anything. Not sure if I'd bother teaching her how to identify it, as I'd assume someone will develop malware to closely resemble it. May not be as useful as intended.

What do you want them to do, then? They're damned if they do and damned if they don't.

Do: "Oh, people are going to ignore that because it looks fishy even though it's not."

Don't: "Oh, people don't fix these problems because there's no easy way for them to fix it."

The only winning move is not to play.

No, the only winning move is to design a browser that makes you have to confirm all changes to the browser and all extensions the first time that they are run. Best policy would to add a 'confirm to run on update' as well.

And then people will blindly click yes to get the dialogs to go away. Next idea?

That looks like the kind of message I tell my mum to avoid, or to talk about with me before she does anything. Not sure if I'd bother teaching her how to identify it, as I'd assume someone will develop malware to closely resemble it. May not be as useful as intended.

What do you want them to do, then? They're damned if they do and damned if they don't.

Do: "Oh, people are going to ignore that because it looks fishy even though it's not."

Don't: "Oh, people don't fix these problems because there's no easy way for them to fix it."

The only winning move is not to play.

No, the only winning move is to design a browser that makes you have to confirm all changes to the browser and all extensions the first time that they are run. Best policy would to add a 'confirm to run on update' as well.

I don't see a way to do this so long as the browser settings are stored in a location where you, the user, has access to write the settings.

Google could do something like require privilege elevation to write the settings. But then you're stuck with elevation prompts to save the data. Those prompts just annoy users. I honestly don't see a good solution to this.

I must be missing something. Why does a user having the ability to manually edit the settings matter here? It sounds like he is talking about limiting what a web page/extention can do. If a web page/extention figures out how to break out of that sandbox, you have many more problems then how to let the user know it's editing Chrome's settings...

So how should the box look to give confidence that it is real? More to the point, what will stop malware writers from mimicking any design of a valid message, causing more erosion of trust?

I bring these questions up non-sarcastically, because this issue extends well beyond Chrome. Windows UAC boxes have been spoofed, so people distrust those. Legitimate AV software warnings are seen as suspicious, and users may not do anything to stop actual attacks.

I don't have answers here, but it's an issue that I'm sure is on the minds of a lot people in the industry.

That looks like the kind of message I tell my mum to avoid, or to talk about with me before she does anything. Not sure if I'd bother teaching her how to identify it, as I'd assume someone will develop malware to closely resemble it. May not be as useful as intended.

So how should the box look to give confidence that it is real? More to the point, what will stop malware writers from mimicking any design of a valid message, causing more erosion of trust?

I bring these questions up non-sarcastically, because this issue extends well beyond Chrome. Windows UAC boxes have been spoofed, so people distrust those. Legitimate AV software warnings are seen as suspicious, and users may not do anything to stop actual attacks.

I don't have answers here, but it's an issue that I'm sure is on the minds of a lot people in the industry.

There is no easy answer to these issues. But I would rather Google, et. al. try to warn users and have an reset to known, well-defined state than not to have any warning at all. Also, as the family "nerd buddy" I would rather Aunt Mabel and Uncle Seymour call me because of a warning than have their browser hijacked.

That looks like the kind of message I tell my mum to avoid, or to talk about with me before she does anything. Not sure if I'd bother teaching her how to identify it, as I'd assume someone will develop malware to closely resemble it. May not be as useful as intended.

So how should the box look to give confidence that it is real? More to the point, what will stop malware writers from mimicking any design of a valid message, causing more erosion of trust?

I bring these questions up non-sarcastically, because this issue extends well beyond Chrome. Windows UAC boxes have been spoofed, so people distrust those. Legitimate AV software warnings are seen as suspicious, and users may not do anything to stop actual attacks.

I don't have answers here, but it's an issue that I'm sure is on the minds of a lot people in the industry.

Customization may help a bit. I know that one of the reasons Linux distros are relatively safe from these kinds of spoof attacks is that people who code them can't predict what your exact setup will be like. What if Chrome included your Google+ image (or some other private image) on all pop-up communications from google. This would make it difficult to spoof broadly.

That looks like the kind of message I tell my mum to avoid, or to talk about with me before she does anything. Not sure if I'd bother teaching her how to identify it, as I'd assume someone will develop malware to closely resemble it. May not be as useful as intended.

So how should the box look to give confidence that it is real? More to the point, what will stop malware writers from mimicking any design of a valid message, causing more erosion of trust?

I bring these questions up non-sarcastically, because this issue extends well beyond Chrome. Windows UAC boxes have been spoofed, so people distrust those. Legitimate AV software warnings are seen as suspicious, and users may not do anything to stop actual attacks.

I don't have answers here, but it's an issue that I'm sure is on the minds of a lot people in the industry.

For UAC, I tell family to hit the windows key. If the start menu/screen comes up, the warning isn't real.

One idea to help combat spoofing these screens, is to require users to personalize the window where the message is displayed in some obvious way. Then you train users that if you don't see your personalized message/picture/whatever, it isn't an authentic dialog.

My brokerage account does a form of this for their site. The first time I log in from a new computer, I can set a picture that will always show up when I'm at the correct domain. If I don't see the picture, I know I'm being phished. I supposed this works fairly well for my wife or mom who I doubt ever double check the address bar.

**edit**Clarified an ambiguous forward slash. Wife and mom are definitely different people.

That looks like the kind of message I tell my mum to avoid, or to talk about with me before she does anything. Not sure if I'd bother teaching her how to identify it, as I'd assume someone will develop malware to closely resemble it. May not be as useful as intended.

What do you want them to do, then? They're damned if they do and damned if they don't.

Do: "Oh, people are going to ignore that because it looks fishy even though it's not."

Don't: "Oh, people don't fix these problems because there's no easy way for them to fix it."

Whether we buy them ready-made, or our relatives ask us to help create and maintain them, a walled garden really is a reasonable tradeoff for some people.

this approach only works if the trust we place in developers is good for the lifetime f the product. If I download a tab manager that gets thousands of good ratings, but then later the devs sell it to an adware company- the walled garden is breached.

That looks like the kind of message I tell my mum to avoid, or to talk about with me before she does anything. Not sure if I'd bother teaching her how to identify it, as I'd assume someone will develop malware to closely resemble it. May not be as useful as intended.

So how should the box look to give confidence that it is real? More to the point, what will stop malware writers from mimicking any design of a valid message, causing more erosion of trust?

I bring these questions up non-sarcastically, because this issue extends well beyond Chrome. Windows UAC boxes have been spoofed, so people distrust those. Legitimate AV software warnings are seen as suspicious, and users may not do anything to stop actual attacks.

I don't have answers here, but it's an issue that I'm sure is on the minds of a lot people in the industry.

Can we have protected areas of the browser display that cannot be mimicked by malware or accessed by normal HTML? Perhaps something in the address bar or the Window area at the top? If the address bar were to turn red that would certainly get my attention.

I'm seeing a lot of the same comments in this thread that I saw in the fake antivirus story from yesterday: that users aren't smart enough, or knowledgeable enough, to handle this sort of thing.

Which is kind of a given. Users are always the most vulnerable point in any security system. What needs to be done is for society to recognize this is a problem that isn't going away, that there's not much the government can do to stop it, and that ultimate responsibility rests with users. To improve the situation, basic computer security skills should be taught in grade school and college. Why wouldn't these skills be a pre-requisite for an undergraduate degree? Schools are forcing disinterested students to learn about art and history, so how about making practical skills a requirement. Make them paranoid. Secure their networks.

Same goes for basic typing skills. Those should replace cursive. We live in an unimaginably different world than could have been predicted twenty-five years ago: where everybody is threatened with malware, and nobody writes in cursive. The education system should strive to adapt.

That looks like the kind of message I tell my mum to avoid, or to talk about with me before she does anything. Not sure if I'd bother teaching her how to identify it, as I'd assume someone will develop malware to closely resemble it. May not be as useful as intended.

So how should the box look to give confidence that it is real? More to the point, what will stop malware writers from mimicking any design of a valid message, causing more erosion of trust?

I bring these questions up non-sarcastically, because this issue extends well beyond Chrome. Windows UAC boxes have been spoofed, so people distrust those. Legitimate AV software warnings are seen as suspicious, and users may not do anything to stop actual attacks.

I don't have answers here, but it's an issue that I'm sure is on the minds of a lot people in the industry.

They can use copyright law to go after the people who write malicious code that mimics the Chrome warning window. And strengthen anti-piracy and anti-wiretapping laws. If find it hard to believe that they can't track down the individuals who are responsible for this malware. Substantive prosecutions and serious punishments would make others think twice before doing it.

That looks like the kind of message I tell my mum to avoid, or to talk about with me before she does anything. Not sure if I'd bother teaching her how to identify it, as I'd assume someone will develop malware to closely resemble it. May not be as useful as intended.

So how should the box look to give confidence that it is real? More to the point, what will stop malware writers from mimicking any design of a valid message, causing more erosion of trust?

I bring these questions up non-sarcastically, because this issue extends well beyond Chrome. Windows UAC boxes have been spoofed, so people distrust those. Legitimate AV software warnings are seen as suspicious, and users may not do anything to stop actual attacks.

I don't have answers here, but it's an issue that I'm sure is on the minds of a lot people in the industry.

For UAC, I tell family to hit the windows key. If the start menu/screen comes up, the warning isn't real.

One idea to help combat spoofing these screens, is to require users to personalize the window where the message is displayed in some obvious way. Then you train users that if you don't see your personalized message/picture/whatever, it isn't an authentic dialog.

My brokerage account does a form of this for their site. The first time I log in from a new computer, I can set a picture that will always show up when I'm at the correct domain. If I don't see the picture, I know I'm being phished. I supposed this works fairly well for my wife/mom who I doubt ever double check the address bar.

Sounds like those fake ransom pages. How would you know if its authentic? As far as I am concerned Google is the only one I worry about. I use my Windows 7 PC constantly all day long much of the time on the internet. Only have had a couple pieces of malware in two years. I had a Chromebook for a while too and Google promised that it took care of malware on that device too. But how can anyone verify that? Should I take Google's word that they are on the job?

Gee, maybe half of the problem is that your OS is compromised because you got trustworthy open-source software by Googling it. Try googling something esoteric like "Firefox", there's probably a couple of ads for a better build that has various hijack toolbars and purple monkeys built in. Those ads are offset in a box that is the EXACT faint yellow that pre-IPS screens can't render, so those BS listings look just fine.

The problem is that Google doesn't really care whether you are safe from attackers. The moment there's a conflict of interest between your safety and their ad revenue you lose.

That looks like the kind of message I tell my mum to avoid, or to talk about with me before she does anything. Not sure if I'd bother teaching her how to identify it, as I'd assume someone will develop malware to closely resemble it. May not be as useful as intended.

What do you want them to do, then? They're damned if they do and damned if they don't.

Do: "Oh, people are going to ignore that because it looks fishy even though it's not."

Don't: "Oh, people don't fix these problems because there's no easy way for them to fix it."

The only winning move is not to play.

No, the only winning move is to design a browser that makes you have to confirm all changes to the browser and all extensions the first time that they are run. Best policy would to add a 'confirm to run on update' as well.

I don't see a way to do this so long as the browser settings are stored in a location where you, the user, has access to write the settings.

Google could do something like require privilege elevation to write the settings. But then you're stuck with elevation prompts to save the data. Those prompts just annoy users. I honestly don't see a good solution to this.

I don't see the problem with elevation prompts here. The most fundamental question is: what browser settings should be possible for a webpage or plug-in to alter? For example, home page hijacking is pretty common. Should a webpage or plug-in be able to change your home page? I would say no. Problem solved. It's easy for a user to change their home page themself, I think it's fair to say the majority of the time when it is done for them, it is not deliberate. The trivial advantage of doing it automatically is far outweighed by the hassle of hijacking.

Plug-ins do need to change some settings, but an elevation prompt when you first install the plug-in seems like a perfectly reasonable step.